[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Solved one, new problem - RE: SSL Connection problems
"Doyon, Jean-Francois" wrote:
>
> Dave,
>
> Aha, finally, figured it out :) I just discoevred the tip of using -d127
> with ldapsearch, and that gave me the missing piece of the puzzle.
>
> Indeed, looks like the TLS subsystem not only wants the CN to match exactly
> the name *I* provide, but ALSO the name obtained from a reverse lookup!
>
> Here's the problem now:
>
> When I connect locally from the same box as the server, the TLS subsystem
> seems to reverse lookup only the hostname, as "grumbler" ... But from other
> machines, the hostname is "grumbler.ccrs.nrcan.gc.ca"! So now it seems like
> I can't have a certificate to satisfy both conditions! I can use "grumbler"
> in the certificate, but that will only work for connections that come from
> that same host, or from Netscape Directory SDK connections, that don't seem
> to look at the reverse lookup issue. If I change the certificate to use the
> FQDN, how I can't do local connections, because it doesn't match "grumbler"
> ...
>
> Oh and BTW the "hostname" command on the box does return the FQDN, not just
> "grumbler" ...
>
> The chicken and the egg problem ...
>
> Anybody have any ideas on how to get around this one?
>
> Thanks,
> J.F.
Could this be something to do with a change in default config introduced
sometime ago? Make sure you configure with
--enable-rlookups
Dave
--
Dave Lewney
Principal Systems Programmer, Computing Service
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273
271956